e9075f06a81e60ba1f6f344a7ec8c62ebe23be24f0807aea95e80b6bf7c49c42 | Triage

Analysis

max time kernel
13s
max time network
15s
platform
windows10_x64
resource
win10v20210408
submitted
26-09-2021 23:00

Sharing

Report Analysis Logs

General

Target

Loader.bin.exe
Size

6KB
MD5

5c3b3d29900401cf7c8a6f7da0a1d7fa
SHA1

41cf781fed46bf34cbec0a2852c56592297cc7ed
SHA256

fc4590965f4831e8ed0e8465df39ca064d14dfcb79f320bf937ba18807d08f2c
SHA512

ddec58841d1b8c9278802ae310701c89eaf6cf306d21cd0af1b913e54ea524438799c1038f5a3c2b2288b770b46fad785331798b7ee826fb30e5e65965bdceca

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dw20.exe

pid process

3276 dw20.exe
3276 dw20.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Loader.bin.exedw20.exe

description pid process

Token: SeDebugPrivilege 4060 Loader.bin.exe
Token: SeRestorePrivilege 3276 dw20.exe
Token: SeBackupPrivilege 3276 dw20.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Loader.bin.exe

description	pid	process	target process
PID 4060 wrote to memory of 3276	4060	Loader.bin.exe	dw20.exe
PID 4060 wrote to memory of 3276	4060	Loader.bin.exe	dw20.exe
PID 4060 wrote to memory of 3276	4060	Loader.bin.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\Loader.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.bin.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1584
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3276-115-0x0000000000000000-mapping.dmp

Download
memory/4060-114-0x0000000000570000-0x000000000061E000-memory.dmp

Filesize
696KB

Download